SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does sshd's MaxAuthTries setting do what you want?
Code:
MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number of
failures reaches half this value, additional failures are logged. The default is 6.
Does sshd's MaxAuthTries setting do what you want?
Not quite. I'd like it to build a "hosts.deny"-like list so that after a number of failures, the connection couldn't be reestablished. If I understand this, it would log & drop the connection, but the far-seide could still restart the connection. Its and anti-hammering technique to prevent dictionary attacks.
I also had similar issues (lots of login attempts in the log files). I changed the ssh settings first but I also found the following Iptables based solution somewhere on the net. It should drop the packets from an IP address if there has been 3 unsuccessful login attempts in the last 60 seconds (I don't know much about iptables and what I just said could be wrong, sorry ) :
You put this in /etc/rc.d/rc.firewall and make the file executable:
Code:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Feel free to point out any flaws in my logic -- it would just mean I would change my security settings (and I'm sure would help everyone in the long run)
Well if you can get access to your router from the internet that means if someone breaks it he breaks into 192.168.1 (or whatever your subnet is). and that means that he can start hacking your ip from the router. If I understand it right it's just 2 boxes needed to be hacked before someone gets access to your pc, instead of one
Well if you can get access to your router from the internet that means if someone breaks it he breaks into 192.168.1 (or whatever your subnet is). and that means that he can start hacking your ip from the router. If I understand it right it's just 2 boxes needed to be hacked before someone gets access to your pc, instead of one
Supplement the previous plan with mac address filtering and static IPs (though mac addresses can be spoofed), close any services on the router, filter ssh etc. by mac addresses (iptables rules?) etc.
Security is a work-in-progress, not an end-solution.
I get lots of attempts like this for years. Since I use strong passwords I get no troubles yet.
But some questions are still unclear for me.
1. If somebody tries to log with username what does not exist he can see the 'user dose not exist' answer?
2. If he tries to log an existing user with wrong password, can he see that the username is good but the password is not?
3. Is it possible to see information like wrong password attempts? I mean if somebody tries to log as root with bad password "password" can I make some list of the passwords what was tried? So if somebody tries more passwords I can list them?
I get lots of attempts like this for years. Since I use strong passwords I get no troubles yet.
But some questions are still unclear for me.
1. If somebody tries to log with username what does not exist he can see the 'user dose not exist' answer?
2. If he tries to log an existing user with wrong password, can he see that the username is good but the password is not?
Nope. He'll get no feedback. Only the permission denied (publickey,password).
I do recommend you move your ssh port out of the range that nmap scans by default. Anywhere high up is good. My first month of running an ssh server gave me roughly 90,000 break in attempts. I moved the port up, and since then it stopped. I have not had an attack since (lazy script kiddies)
Quote:
Originally Posted by hua
3. Is it possible to see information like wrong password attempts? I mean if somebody tries to log as root with bad password "password" can I make some list of the passwords what was tried? So if somebody tries more passwords I can list them?
you can do sshd: ALL: DENY in hosts.deny, and then just add the hosts or IPs you want to allow in hosts.allow. that in itself can go a long way to locking it down, along with a firewall rule and using authenticated keys. and if you change the port, that's even another added layer of protection.
I use ssh constantly on my LAN, and those techniques seem to have kept me safe from any attacks.
I do recommend you move your ssh port out of the range that nmap scans by default. Anywhere high up is good. My first month of running an ssh server gave me roughly 90,000 break in attempts. I moved the port up, and since then it stopped. I have not had an attack since (lazy script kiddies)
Please note that while this advice will probably keep the stone-cold idiots out of the system, it doesn't actually increase security. If you want to actually make ssh more secure, you need to follow the advice about strong passwords or keys, disallowing root or locking down the IP range that the system can be accessed from. If you just move the ssh port and don't take these sorts of steps then the people you really need to worry about will still be able to find ssh and exploit it.
I do recommend you move your ssh port out of the range that nmap scans by default. Anywhere high up is good. My first month of running an ssh server gave me roughly 90,000 break in attempts. I moved the port up, and since then it stopped. I have not had an attack since (lazy script kiddies)
Please note that while this advice will probably keep the stone-cold idiots out of the system, it doesn't actually increase security. If you want to actually make ssh more secure, you need to follow the advice about strong passwords or keys, disallowing root or locking down the IP range that the system can be accessed from. If you just move the ssh port and don't take these sorts of steps then the people you really need to worry about will still be able to find ssh and exploit it.
Yes, excellent! Moving the port up gives no enhanced security, it should be read as 'in addition to' not 'instead of'.
It keeps the logs a lot cleaner. Simple bot attacks wont pass this 'first hurdle' (note to script kiddies: man nmap && nam ssh should give you an idea of what you are doing wrong). A human with half a notion of what he's doing wont be bothered by port numbers.
But the latter now stick out in the logs.
Would it be safe to assume btw that anyone who has the knowledge to move ssh to a different port also has the knowledge to appreciate the value of long and complicated passwords and out-of-the-ordinary login names??
I mention the latter as brute force attacks often guess regular user names (of an Anglo-Saksen signature, ie a lot of patricia's, eric's and richard's, but not a lot of günter's, wilhelm's or marietje's... giving us non-Engish a little unexpected edge in computer security )
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.